Rating:
See here: [https://berryberry.hatenablog.jp/](https://berryberry.hatenablog.jp/entry/2022/03/14/032052)
First of all, this challenge is to send a correct input to the server.
## Given File
I obtained an executable file named "file" and opened it in ghidra.
I changed some function name for understand.
![](https://cdn-ak.f.st-hatena.com/images/fotolife/B/Berrys/20220314/20220314030346.png)
First, this program receives input in line 11.
In line 17, the input function checks input format.
The input format is like "num;num;num;...;num".
Between line 18 and line 21, the check1 function determines whether the quotient and remainder of the iva1 variable divided by 14 are between 0 and 13 or not. If it's not, then it displays "cheater". Therefore, we can choose numbers between 0 and 195.
In line 22, the check2 function determines whether all 196(=14*14) characters beginning with &DAT_00104100 are 0x2d(-) or 0x2a(*).
![](https://cdn-ak.f.st-hatena.com/images/fotolife/B/Berrys/20220314/20220314031100.png)
Now, what is a string begins with &DAT_00104100 ?
Look at line 16, the initialization function calculates the remainder of the pseudorandom number divided by 14 and replaces the &DAT_00104100 index with 2a. It also process other things.
![](https://cdn-ak.f.st-hatena.com/images/fotolife/B/Berrys/20220314/20220314031306.png)
## Solution
The solution is to find the input number which does not display "BOOM" in the check1 function.
I spent much time to find a solution using the rand function in the initialization function. However, i coudn't, so I looked for a number which does not display "BOOM" in the check1 function one by one.
Here is the correct input.
![](https://cdn-ak.f.st-hatena.com/images/fotolife/B/Berrys/20220314/20220314031615.png)
Finally, my writeup may help you understand this program, but may not be good for people who want to solve it correctly. Thank you.